ironcore-dev
diff --git a/‎.github/workflows/checks.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/checks.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/goreleaser.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/goreleaser.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-chart.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test-chart.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-e2e.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test-e2e.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/core/v1alpha1/groupversion_info.go‎
Lines changed: 8 additions & 0 deletions b/‎api/core/v1alpha1/groupversion_info.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎charts/network-operator/templates/extras/controller-manager-tftp-service.yaml‎
Lines changed: 21 additions & 0 deletions b/‎charts/network-operator/templates/extras/controller-manager-tftp-service.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎charts/network-operator/templates/manager/manager.yaml‎
Lines changed: 6 additions & 0 deletions b/‎charts/network-operator/templates/manager/manager.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎charts/network-operator/values.yaml‎
Lines changed: 6 additions & 6 deletions b/‎charts/network-operator/values.yaml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎cmd/main.go‎
Lines changed: 22 additions & 1 deletion b/‎cmd/main.go‎
Lines changed: 22 additions & 1 deletion
@@ -29,7 +29,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.26.1
+          go-version: 1.26.2
       - name: Run prepare make target
         run: make generate
       - name: Run golangci-lint
 
@@ -32,7 +32,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.26.1
+          go-version: 1.26.2
       - name: Run prepare make target
         run: make generate
       - name: Build all binaries
@@ -67,7 +67,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.26.1
+          go-version: 1.26.2
       - name: Run prepare make target
         run: make generate
       - name: Run tests and generate coverage report
 
@@ -27,7 +27,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.26.1
+          go-version: 1.26.2
       - name: Run prepare make target
         run: make generate
       - name: Install syft
 
@@ -27,7 +27,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.26.1
+          go-version: 1.26.2
       - name: Fetch latest kubectl version
         id: kubectl
         run: |
 
@@ -27,7 +27,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.26.1
+          go-version: 1.26.2
       - name: Fetch latest kubectl version
         id: kubectl
         run: |
 
@@ -210,6 +210,14 @@ const (
 	PrefixSetNotFoundReason = "PrefixSetNotFound"
 )
 
+// Reasons that are specific to [BGPPeer] objects.
+const (
+	// BGPNotFoundReason indicates that no BGP resource was found for the device
+	// referenced by the BGPPeer. A BGPPeer cannot function without a BGP process
+	// running on the same device.
+	BGPNotFoundReason = "BGPNotFound"
+)
+
 // Reasons that are specific to [BorderGateway] objects.
 const (
 	// BGPPeerNotFoundReason indicates that a referenced BGPPeer was not found.
 
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/name: {{ include "network-operator.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    control-plane: controller-manager
+  name: {{ include "network-operator.resourceName" (dict "suffix" "controller-manager-tftp-service" "context" $) }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: tftp
+    port: 1069
+    protocol: UDP
+    targetPort: 1069
+  selector:
+    app.kubernetes.io/name: {{ include "network-operator.name" . }}
+    control-plane: controller-manager
+  type: ClusterIP
@@ -35,6 +35,9 @@ spec:
       {{- with .Values.manager.nodeSelector }}
       nodeSelector: {{ toYaml . | nindent 10 }}
       {{- end }}
+      {{- with .Values.manager.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml . | nindent 8 }}
+      {{- end }}
       containers:
       - args:
         {{- if .Values.metrics.enable }}
@@ -54,6 +57,9 @@ spec:
         - /manager
         image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}"
         imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
+        {{- with .Values.manager.env }}
+        env: {{ toYaml . | nindent 10 }}
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
 
@@ -34,24 +34,24 @@ manager:
   podSecurityContext:
     runAsNonRoot: true
     seccompProfile:
-        type: RuntimeDefault
+      type: RuntimeDefault
 
   ## Container-level security settings
   ##
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
-        drop:
-            - ALL
+      drop:
+        - ALL
 
   ## Resource limits and requests
   ##
   resources:
     limits:
-        memory: 512Mi
+      memory: 512Mi
     requests:
-        cpu: 150m
-        memory: 256Mi
+      cpu: 150m
+      memory: 256Mi
 
   ## Manager pod's affinity
   ##
 
@@ -48,6 +48,7 @@ import (
 	"github.com/ironcore-dev/network-operator/internal/provider"
 	"github.com/ironcore-dev/network-operator/internal/provisioning"
 	"github.com/ironcore-dev/network-operator/internal/resourcelock"
+	tftpserver "github.com/ironcore-dev/network-operator/internal/tftp"
 	webhooknxv1alpha1 "github.com/ironcore-dev/network-operator/internal/webhook/cisco/nx/v1alpha1"
 	webhookv1alpha1 "github.com/ironcore-dev/network-operator/internal/webhook/core/v1alpha1"
 	// +kubebuilder:scaffold:imports
@@ -81,6 +82,8 @@ func main() {
 	var watchFilterValue string
 	var providerName string
 	var requeueInterval time.Duration
+	var tftpPort int
+	var tftpValidateSourceIP bool
 	var maxConcurrentReconciles int
 	var lockerNamespace string
 	var lockerDuration time.Duration
@@ -102,12 +105,14 @@ func main() {
 	flag.StringVar(&watchFilterValue, "watch-filter", "", fmt.Sprintf("Label value that the controller watches to reconcile api objects. Label key is always %q. If unspecified, the controller watches for all api objects.", v1alpha1.WatchLabel))
 	flag.StringVar(&providerName, "provider", "openconfig", "The provider to use for the controller. If not specified, the default provider is used. Available providers: "+strings.Join(provider.Providers(), ", "))
 	flag.DurationVar(&requeueInterval, "requeue-interval", time.Hour, "The interval after which Kubernetes resources should be reconciled again regardless of whether they have changed.")
+	flag.IntVar(&tftpPort, "tftp-port", 1069, "The port on which the inline TFTP server listens. Set to 0 to disable the TFTP server.")
+	flag.BoolVar(&tftpValidateSourceIP, "tftp-validate-source-ip", false, "If set, the TFTP server validates the source IP and requested serial-based filename against the same Device.")
 	flag.IntVar(&maxConcurrentReconciles, "max-concurrent-reconciles", 1, "The maximum number of concurrent reconciles per controller. Defaults to 1.")
 	flag.StringVar(&lockerNamespace, "locker-namespace", "", "The namespace to use for resource locker coordination. If not specified, uses the namespace the manager is deployed in, or 'default' if undetectable.")
 	flag.DurationVar(&lockerDuration, "locker-duration", 5*time.Second, "The duration of the resource locker lease.")
 	flag.DurationVar(&lockerRenewInterval, "locker-renew-interval", time.Second, "The interval at which the resource locker lease is renewed.")
 	flag.IntVar(&provisioningHTTPPort, "provisioning-http-port", 8080, "The port on which the provisioning HTTP server listens.")
-	flag.BoolVar(&provisioningHTTPValidateSourceIP, "provisioning-http-validate-source-ip", false, "If set, the provisioning HTTP server will validate the source IP of incoming requests against the DeviceIPLabel of Device resources.")
+	flag.BoolVar(&provisioningHTTPValidateSourceIP, "provisioning-http-validate-source-ip", false, "If set, the provisioning HTTP server will validate the source IP of incoming requests against Device.spec.endpoint.address.")
 	opts := zap.Options{
 		Development: true,
 		TimeEncoder: zapcore.ISO8601TimeEncoder,
@@ -684,6 +689,22 @@ func main() {
 		}
 	}
 
+	// Start inline TFTP server when the configured port is non-zero.
+	if tftpPort != 0 {
+		tftpAddr := fmt.Sprintf(":%d", tftpPort)
+		srv, err := tftpserver.New(ctx, tftpAddr, tftpValidateSourceIP, mgr, klog.NewKlogr().WithName("tftp"))
+		if err != nil {
+			setupLog.Error(err, "unable to initialize TFTP server")
+			os.Exit(1)
+		}
+
+		setupLog.Info("Adding inline TFTP server to manager", "address", tftpAddr, "validateSourceIP", tftpValidateSourceIP)
+		if err := mgr.Add(srv); err != nil {
+			setupLog.Error(err, "unable to add TFTP server to manager")
+			os.Exit(1)
+		}
+	}
+
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {